In its latest effort to give companies clarity on whether they can lawfully provide cybersecurity protection to political campaigns for free or at a low cost, the Federal Election Commission indicated this week it could be close to greenlighting anti-spearphishing services in a case currently before the commission.
That tentative conclusion, not guaranteed until the FEC issues a formal advisory opinion, was reached Thursday during a commissioners’ meeting on a request from anti-spearphishing company Area 1 Security. It marked a shift from how the FEC appeared to be leaning on the issue earlier this week. The FEC’s legal team on Monday issued two draft opinions which both recommended blocking Area 1 from providing anti-spearphishing services at a discounted rate over concerns the lower rates would effectively serve as an in-kind contribution that could curry political favor with politicians in the future.
Existing campaign finance law bars corporate contributions to campaigns, an issue that has given campaigns reason to pause on signing up with Area 1’s anti-phishing service, Area 1 CEO Oren Falkowitz told CyberScoop.
Barring free or low-cost provision of anti-spearphishing to political campaigns or committees would be “out of step” with what candidates need right now, especially given the threats they face from nation-states as the 2020 presidential election cycle gears up, Falkowitz said before Thursday’s hearing. Russian hackers successfully spearphished Hillary Clinton’s campaign chairman, John Podesta, with an email in 2016. The FEC’s consideration of the question comes just as the FBI warns that nation-states will continue to target U.S. elections.
Falkowitz took issue with both of the FEC’s draft opinions during Thursday’s meeting, saying Area 1 would not be going above and beyond its current offerings, a concern of the FEC’s in one draft opinion. Area 1 already provides its service, at what Falkowitz said he considers to be a low cost of $1,337 per year, to noncommercial groups that have a small number of employees. Working with campaigns with similar staffing sizes at this fixed low price would be no different, he argued.
The path forward
Upon learning Area 1 has an existing $1,337 fixed offering, several commissioners appeared to think Area 1 may actually be requesting to provide a service that does fit within existing business practices.
“I actually don’t think you need to be here,” Commissioner Caroline Hunter said after hearing about the low-cost bucket in Area 1’s current offerings.
FEC Chair Ellen Weintraub suggested the FEC may be able to approve Area 1 if it submits a new request focusing on the fixed rate.
“If there is a way to say yes without doing damage to the law, I would be inclined to do so,” she said. “I think there could be a path forward here but I’m not sure it’s the answer to the request you gave us.”
One argument Area 1 made in its initial request was to suggest its employees would be more motivated at work if they were providing services to candidates, an assertion Weintraub said could open “a colossal loophole.”
Dan Petalas, former acting general counsel for the FEC, who now serves as outside counsel for Area 1, told CyberScoop Area 1 will be withdrawing its initial request and submitting a new one following the commissioners’ recommendation.
Another question the FEC raised in a separate draft opinion this week was whether Area 1 had sufficient business interest in campaign election security, arguing that Area 1 providing its product at little or no cost may not necessarily provide enough value to the company on par with what it could make with other clients. That raised the question of whether the company would or could seek other forms of compensation from possible political campaign clients.
Falkowitz refuted that notion on Thursday.
“I just want to be clear that we’re not offering services to candidates to curry any favor,” Falkowitz said.
Working on preventing spearphishing attempts against political candidates would provide value to his business because Area 1 would be better positioned to gather data on real nation-state tactics to bolster its offerings, he said.
“Candidates in particular are acutely attacked by nation-state actors,” Falkowitz pointed out. “For us to be commercially successful in cybersecurity there’s a need for access to real attack scenarios and these scenarios are particularly acute as they relate to elections.”
In the past, the FEC has ruled that a corporation could provide cybersecurity services for free to campaigns and political committees. That decision, issued last year in regards to a request from Microsoft, hinged in part on the fact that the FEC recognized Microsoft had a business interest in working to prevent cyberattacks that could damage the company’s reputation, as some cyberattacks rely on Microsoft infrastructure.
In a separate case, the FEC ruled last month that a non-profit could provide free or low-cost services to campaigns and committees in part because of the “highly unusual and serious threat” foreign adversaries pose to U.S. elections.
Does Congress have a role here?
The deliberative process over Area 1’s request indicates that past opinions on cybersecurity services might not serve as precedent.
But so long as campaigns are hesitant or unable to dedicate resources to cybersecurity, the FEC appears poised to continue receiving requests from companies seeking clarity on whether they’re breaking the law by offering services for free or low-cost to protect elections — even when their intention isn’t to curry political favor.
Weintraub suggested Congress may need to codify exceptions to campaign finance law to help define what kinds of election cybersecurity measures are allowed.
“Congress could create an exception in the law,” she said. “Congress could say, ‘Cybersecurity doesn’t count, if you’re offering cybersecurity services you’re exempt from the corporate contribution ban.’ They could do that. I’m not sure we could do that.”
The chief of staff at the Campaign Legal Center, Adav Noti, told CyberScoop he thinks it would be the ideal if Congress examined changing the law. That, he said, could prevent a conundrum for the FEC in which it considers requests on election cybersecurity from companies that actually do want to curry political favor with candidates.
Last month Sen. Ron Wyden introduced a proposal that would allow national party committees to provide campaigns and state parties cybersecurity assistance.
“The 2016 election made it painfully clear that campaigns need more help defending against sophisticated cyberthreats,” Wyden said.